Overview of the Juniper SSG Series Firewalls

This article provides an overview of the Juniper SSG series firewalls. The SSG firewalls are feature-rich powerful with models for everything from SMB to the enterprise.

Overview

Juniper SSG (Secure Series Gateway) firewalls represent the 2nd generation of Netscreen products. This article provides information about each model, a comparison with their predecessors, and ideal use for each.

ScreenOS

ScreenOS is the software used on the SSG line which was also used to power the Netscreen line. ScreenOS version 6 was designed to run specifically on the SSG line. However, Juniper has recently released version 6 for the Netscreen 5GT. The 5GT was the only model of the older series to get a version 6 release. Larger models such as the Netscreen 25, Netscreen 50, and Netscreen 208 did not

Screen OS can be managed in three ways:

CLI (command line) via SSH, telnet, or console

Web Interface

NSM (Netscreen Security Manager, now known as Network Security Manager)

The CLI is the generally accepted method among most system/network administrators. However, the web interface is surprisingly full allowing admins to do 90-95% of tasks through an easy to use web GUI. NSM is an add-on product from Juniper which needs to be licensed. By default it allows management of up to 25 devices. However, NSM requires a dedicated machine to run. It will do neat things like upgrade firmware on multiple devices, move policies between different devices, and collect log information. There are a total of 7 models in the SSG series. Two of them offer a wireless option. The following information provides an overview each model.

SSG 5

Juniper SSG-5 Firewall

The SSG-5 is considered the entry level firewall in the series. Juniper calls it a SOHO, or branch office firewall. It has a total of 7 Ethernet interfaces. 1 WAN interface, 1 DMZ interface, and 5 bgroup or "trust" interfaces. The SSG 5 will support up to 8000 sessions and 16,000 with an extended license key. It is available with 128MB or 256MB or memory and also a wireless model. Deep inspection and spam filtering is also an option but requires a special license key and 256MB or memory. Total firewall throughput is around 90 Mbps conservatively and 40 Mbps for VPN traffic. Overall it is a great device for the price. Other options include an AUX interface for a serial connection, an ISDN port, or V.92 modem. High availability (HA) pairs can be configured in active/active or active/passive modes by providing the correct licensing. The SSG 5 is comparable to the Netscreen 5GT. However, the SSG 5 is a considerable improvement in both features and performance. A rackmount shelf is avaiable that will allow 2 SSG-5 firewalls mounted side by side to occupy 1U of rackspace.

SSG 20

Juniper SSG-20 Firewall

The SSG 20 is considered a "better" model by Juniper despite having 2 less interfaces. This device has the same performance numbers, but has two "mini-PIM" slots allowing for modular installation of ADSL, T1, ISDN, or serial interfaces. The mini-PIM cards are expensive and this device also comes in a wireless model. Personally, I have never seen an SSG20 in use. I doubt Juniper sold many of these as they just didn't have enough features to seem a step above the SSG 5.

SSG 140

Juniper SSG-140 Firewall

The SSG 140 is the replacement for the Netscreen 25/50. It contains a total of 10 interfaces (8 10/100 ports and 2 10/100/1000 ports). Conservative throughput is 300 Mbps with 100 Mbps for VPN traffic. Total concurrent sessions is 48,000 and the SSG 140 also has (4) rear PIM slots. These are different from the mini-PIM slots used in the other models, but provide the same functionality. This makes the SSG 140 a powerful firewall with many different configuration options. The SSG 140 is well-suited for small data centers and medium-sized corporate offices.

SSG 320M

Juniper SSG-320 Firewall

All models with suffix of M stand for modular. These models have front PIM slots allowing the addition of both WAN and LAN interfaces. The SSG 320 is a 1U modular chassis which gives you the ability to add up to 3 cards to the PIM slots. These can be WAN or LAN interface or a mix of the two. The SSG 320 can be "upgraded" to JunOS. Basically this means Juniper will charge a hefty fee to transform this hardware into a J-series router. Conservative throughput is 400 Mbps with 175 Mbps for VPN traffic. Total concurrent sessions are listed at 64,000. The SSG 320 is comparable to the Netcreen 100 series without the modular chassis.

SSG 350M

Juniper SSG-350 Firewall

The SSG 350 is basically a larger (2U) chassis that operates the same as the 320 model. The larger chassis gives this device a total of 5 PIM slots. Conservative throughput is 500 Mbps with 225 Mbps for VPN traffic and a total concurrent sessions limit of 128,000.

SSG 520M

Juniper SSG-520 Firewall

The SSG 520 is a 3U modular chassis. There are a total of 6 PIM slots; 4 PIM and 2 ePIM. The ePIM slots are known as "enhanced" slots and will accommodate copper or SFP (small form plugable) gigabit ports. Conservative throughput is 600 Mbps with 300 Mbps for VPN traffic and a total concurrent sessions limit of 128,000. The 520 model has redundant power supplies.

SSG 550M

Juniper SSG-550 Firewall

The 550 model is identical to the 520 although conservative throughput of 1000 Mbps with 600 Mbps for VPN traffic and a total concurrent sessions limit of 256,000. The model also has redundant power supplies. The SSG 520 and 550 can be considered SSG models of the ISG line. Like all the other models they are capable of doing spam filtering, deep inspection (DI), and configuration with another device as an HA pair.

The Three Ps: Price, PIMs and Purpose

When choosing a model from the SSG line, you should clearly define what the device will be used for. All SSG models have the ability to run protocols such as OSPF, BGP, will also do static routing. However, these are designed to be use primarily as firewalls. If routing is a serious priority, it is best to use something like the J-series, M-series or SRX line. That being said, there are several things to watch out for with Juniper gear:

Price

Port Density

Updates

Juniper is always on the high side of the price scale. If you are trying to save money, Juniper might not be the best way to go. However, you can find some cheap used gear from liquidators or sites like ebay. The PIM cards are extremely over-priced and they are a little harder to come by used. PIM slots for the routers like the J-series and M-series are easier to find, but even used they are still very expensive.

Compared to Cisco and other vendors Juniper devices tend to have a lower port density. If you are looking for a device that will allow you to plug many devices or networks into it, be careful. Make sure the correct PIMs will work with the model you choose.

Juniper has a program called "J-care" which is basically the equivalent of Cisco's SmartNet. It is available for paying customers and they will cover the hardware as well as updated software or firmware for the device. If you buy a Juniper device new, you have 90 days from the manufactured date to acquire updates without requiring J-care. This is important for security-related devices like firewalls, routers, and VPN devices so do your homework on this. It is very hard to find the firmware online without getting it directly from Juniper. Technical support from Juniper is offered as "JTAC." Find out why JTAC sucks.

Contact Us

If you found this information useful, click the +1 button

Your E-mail:

Subject:

Type verification image:

Message:

NOTE: this form DOES NOT e-mail this article, it sends feedback to the author.